MSU foreign students at risk after errant email
Technorati Tag: Security Breach
Date Reported:
1/21/09
Organization:
Missouri State University ("MSU")
Contractor/Consultant/Branch:
International Student Services
Location:
Springfield, Missouri
Victims:
"foreign students"
Number Affected:
565
Types of Data:
"Sensitive personal information -- including Social Security numbers"
Breach Description:
"Sensitive personal information -- including Social Security numbers -- for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message with the data inadvertently attached."
Reference URL:
Springfield News-Leader
Report Credit:
Didi Tang, Springfield News-Leader
Response:
From the online source cited above:
Sensitive personal information -- including Social Security numbers -- for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message with the data inadvertently attached.
The school is investigating the incident and will contact all international students, offering answers and options to guard against identity theft, university officials said Tuesday.
The leak occurred Jan. 14 when Jody Pritt, director of international student services, contacted 179 international students via e-mail, soliciting their help with language tutoring
Only those who speak Bosnian, Arabic, Czech, Estonian, Romanian, Turkish, Hebrew, Lithuanian or the Indian dialect of Punjabi were contacted, said Clif Smart, MSU's legal counsel.
[Evan] I am amazed that there are 565 people at MSU who speak these languages!
The message they got from Pritt, however, had a spreadsheet attachment that contains names and Social Security numbers for international students, Smart said.
[Evan] Why does the Director of International Student Services need or have access to Social Security numbers?
It doesn't have the students' dates of birth.
The university realized the misstep within minutes and recalled some messages
[Evan] Have you ever tried to recall an email before?! Good luck with that.
The university contacted all recipients of the message and asked them to delete the message
Jeff Morrissey, the university's chief information officer, said the consequences may be mitigated somewhat by the fact that not all foreign students have Social Security numbers.
Foreign students only obtain the numbers when they have permission from the U.S. Department of Homeland Security to work.
Many international students have on-campus employment such as research and teaching assistantships that make them eligible for the numbers.
Social Security numbers for foreign students usually are only valid with work permission, and university officials say they hope that limitation will make the leaked numbers less prone to abuse.
On Friday, Pritt sent out another e-mail message, in which she apologized for the mistake, urged those who have the spreadsheet to purge the document, and offered some suggestions to prevent identify theft.
On Tuesday, Earle Doman, acting vice president for student affairs, wrote to the entire foreign student body on the Springfield campus, offering his apology and telling the students the university will soon call a meeting to answer questions and provide help.
Said Smart: "We want to let them know we're available to help them in any way we can."
MSU is looking into the feasibility of obtaining insurance for the students, he said.
"We can't commit to that now, but that's one of the top priorities," Smart said.
The incident is under an internal investigation, he said, and the school would work with an on-campus compliance officer to determine whether the school has complied with the Federal Education Rights and Privacy Act, he said.
[Evan] Today, I think there is something like a 4+ year backlog in FERPA case investigations. What do you expect from the federal government?
Asked if anyone could lose his or her job, Smart said: "It's too early to talk about this. Clearly this was a mistake."
Commentary:
Obviously, this was an employee mistake. Mistakes will happen, but there are things we (information security professionals) can do to minimize the impact and frequency of employee mistakes. In my experience, some environments are more apt to be breeding grounds for mistakes than others
.
Past Breaches:
Unknown
Date Reported:1/21/09
Organization:
Missouri State University ("MSU")
Contractor/Consultant/Branch:
International Student Services
Location:
Springfield, Missouri
Victims:
"foreign students"
Number Affected:
565
Types of Data:
"Sensitive personal information -- including Social Security numbers"
Breach Description:
"Sensitive personal information -- including Social Security numbers -- for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message with the data inadvertently attached."
Reference URL:
Springfield News-Leader
Report Credit:
Didi Tang, Springfield News-Leader
Response:
From the online source cited above:
Sensitive personal information -- including Social Security numbers -- for 565 foreign students at MSU was leaked this month when a university office sent an e-mail message with the data inadvertently attached.
The school is investigating the incident and will contact all international students, offering answers and options to guard against identity theft, university officials said Tuesday.
The leak occurred Jan. 14 when Jody Pritt, director of international student services, contacted 179 international students via e-mail, soliciting their help with language tutoring
Only those who speak Bosnian, Arabic, Czech, Estonian, Romanian, Turkish, Hebrew, Lithuanian or the Indian dialect of Punjabi were contacted, said Clif Smart, MSU's legal counsel.
[Evan] I am amazed that there are 565 people at MSU who speak these languages!
The message they got from Pritt, however, had a spreadsheet attachment that contains names and Social Security numbers for international students, Smart said.
[Evan] Why does the Director of International Student Services need or have access to Social Security numbers?
It doesn't have the students' dates of birth.
The university realized the misstep within minutes and recalled some messages
[Evan] Have you ever tried to recall an email before?! Good luck with that.
The university contacted all recipients of the message and asked them to delete the message
Jeff Morrissey, the university's chief information officer, said the consequences may be mitigated somewhat by the fact that not all foreign students have Social Security numbers.
Foreign students only obtain the numbers when they have permission from the U.S. Department of Homeland Security to work.
Many international students have on-campus employment such as research and teaching assistantships that make them eligible for the numbers.
Social Security numbers for foreign students usually are only valid with work permission, and university officials say they hope that limitation will make the leaked numbers less prone to abuse.
On Friday, Pritt sent out another e-mail message, in which she apologized for the mistake, urged those who have the spreadsheet to purge the document, and offered some suggestions to prevent identify theft.
On Tuesday, Earle Doman, acting vice president for student affairs, wrote to the entire foreign student body on the Springfield campus, offering his apology and telling the students the university will soon call a meeting to answer questions and provide help.
Said Smart: "We want to let them know we're available to help them in any way we can."
MSU is looking into the feasibility of obtaining insurance for the students, he said.
"We can't commit to that now, but that's one of the top priorities," Smart said.
The incident is under an internal investigation, he said, and the school would work with an on-campus compliance officer to determine whether the school has complied with the Federal Education Rights and Privacy Act, he said.
[Evan] Today, I think there is something like a 4+ year backlog in FERPA case investigations. What do you expect from the federal government?
Asked if anyone could lose his or her job, Smart said: "It's too early to talk about this. Clearly this was a mistake."
Commentary:
Obviously, this was an employee mistake. Mistakes will happen, but there are things we (information security professionals) can do to minimize the impact and frequency of employee mistakes. In my experience, some environments are more apt to be breeding grounds for mistakes than others
Past Breaches:
Unknown
Posted by Evan Francen at 1/28/2009 11:46 AM 
Categories: Missouri State University, Employee Mistake
Categories: Missouri State University, Employee Mistake
Posts Atom 1.0
"Why does the Director of International Student Services need or have access to Social Security numbers?" The Student and Exchange Visitor Information System (SEVIS), administered by US Immigration and Customs Enforcement and mandated by the USA-PATRIOT Act requires it be used for regular reporting to DHS. Of course that doesn't mean that the Director should have the information sitting in a file on their desktop, but there you go.
Reply to this